I had sent this early this morning, but it never made it to the list. It's not the first time my ISP has ate my email. I wonder how many of my resumes didn't get delivered, might explain a couple of things....
As a PS to the below mail: 1) Or go with what Martin suggested, use an ip address on 20.xx 2) Post a shorewall dump of the vserver box, the router seems to be fine. Jerry Vonau wrote: > mess-mate wrote: >> Tom Eastep wrote: >> >>> Martin Leben wrote: >>> >>>> If you have more questions about vserver networking, I am sure that >>>> you would get better help on a mailing list or forum about vserver >>>> where the vserver experts hang out, than you get on this list. >>>> Remember, this is a list about the Shoreline Firewall (a.k.a. >>>> shorewall), not about general Linux or vserver networking issues. >>> I agree. OS virtualization solutions like Vserver and OpenVZ don't >>> work like machine virtualization solutions like Xen and KVM. I use the >>> latter, not the former. >>> >>> The way I _thought_ Vserver works, you could do what you want by >>> changing the rule on your router to: >>> >>> DNAT $FW dmz:192.168.30.1 tcp 80 - $ETH0_IP >>> >>> That doesn't work? >>> >>> -Tom >>> ------------------------------------------------------------------------ >>> >>> >> No, i tryed it >> mess-mate >> > > From your other post: > > 192.168.20.0/24 dev eth1 proto kernel scope link src 192.168.20.1 > 192.168.30.0/24 dev eth1 proto kernel scope link src 192.168.30.1 > default via 192.168.20.254 dev eth1 > > If this is the routing of the troubled guest system (is it?), then the > default gateway is wrong .... Your dnat'ing to 30.1 but that address > doesn't have a route back to the internet. Change the default to 30.?? > but your "router" doesn't have an ipaddress on 192.168.30.xx. just a route. > > The rule that you first asked about: > iptables -t NAT -A POSTROUTING -s GUEST_IP -j SNAT --to-source HOST_IP > > I believe that should be on the vserver host.... to hide the fact that > the routing is really broken. In your case: > iptables -t NAT -A POSTROUTING -s 192.168.30.1 -j SNAT --to-source > 192.168.20.1 > in shorewall: > eth1 192.168.30.1 192.168.20.1 tcp 80 > > You asked why when changing the dnat rule on the router the v-host still > received the traffic, did you remember to bind the web servers to > different ipaddresses? > > > Jerry ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
